Dependency governance you don’t need a
platform team to
run.
depproof audits your dependency licenses and supply-chain risk from open data — resolving the full Maven & Gradle tree with no build or lockfile, and running as a single container or GitHub Action. Self-hosted, host-agnostic, flat-priced.
- uses: depproof/depproof-action@v0
with:
path: . # your Maven/Gradle project
fail-on: copyleft # or: unknown, vuln-high, none
sbom: cyclonedx # emit a CycloneDX SBOM artifact
# → self-contained HTML report + SBOM, published as build artifacts
# → full transitive tree, licenses resolved, policy enforced — no build required The gap
Every governance tool makes you choose something you shouldn’t have to.
Host-native tools (GitHub Code Security, GitLab Ultimate) only govern their own host — a GitHub + GitLab shop needs two of them, two dashboards, and the top-tier per-seat bill on both.
SaaS scanners want your code and findings in their cloud — a new subprocessor to vet and data leaving your perimeter, on a per-developer price that grows with your team.
Heavy self-hosted platforms can stay in-perimeter — but only if you staff a server, a database, HA, and Java expertise to keep them running.
JVM transitive resolution is caveated almost everywhere — needing a build, a lockfile, or dependency-submission just to see the tree accurately.
depproof is the combination none of them offer: lightweight, host-agnostic, self-hostable, flat-priced, open-data, with accurate JVM resolution — no build.
How it works
Point it at a repo. Get an audit you can act on.
Resolve
depproof reads your Maven/Gradle project and resolves the full transitive dependency tree with Aether — the same resolver the ecosystem trusts — without running your build.
Enrich & check
Each dependency is matched to its license and to advisory data from OSV.dev, then checked against your policy: allowed licenses, blocked copyleft, severity thresholds.
Report & gate
You get a self-contained HTML report and a CycloneDX SBOM as build artifacts — and a pass/fail gate so a bad license or CVE stops the PR, not the release.
Full transitive resolution
Resolves the complete Maven/Gradle dependency tree with Aether — no build, no lockfile, no dep-submission dance. The accurate graph everything else depends on.
License audit & policy
Every dependency’s license, resolved and normalized, checked against a policy you define. Fail the build on a copyleft or unknown license before it ships.
Open data (OSV.dev)
Vulnerability and advisory data comes from OSV — open, auditable, portable. No proprietary database to lock you in or hold your findings hostage.
CycloneDX SBOM
Emit a standards-compliant CycloneDX SBOM for every scan — the evidence artifact your compliance, procurement, and EO-14028 / EU-CRA obligations ask for.
One lightweight image
A single ~31MB container. No server to babysit, no database, no HA cluster, no Java platform team. Run it in CI or on a laptop the same way.
Self-hosted by default
Runs entirely inside your perimeter. Your code and your findings never leave it — nothing to send to a vendor cloud, no new subprocessor to vet.
Why depproof
The advantage is the combination — not any one box.
We don’t out-feature the incumbents on raw depth, and we say so. depproof wins when your estate doesn’t fit anyone else’s trade-offs.
One layer, every host
GitHub-native governance can’t see GitLab repos, and vice versa. depproof governs GitHub, GitLab, Bitbucket and any CI from a single layer — because it runs where you run it.
Priced to cover everything
Per-seat and per-committer pricing quietly pushes teams to under-scope coverage. depproof is flat — free under $1M revenue — so you can scan 100% of your repos, not just the ones you can afford.
Your data stays yours
Self-hosted and built on open data (OSV). No proprietary vulnerability DB, no vendor cloud holding your SBOMs. Switch hosts, switch CI, keep your governance.
No platform team required
The self-hostable heavyweight in this category needs a server, a database, HA and Java expertise to run. depproof is one image you already know how to operate.
How depproof compares
An honest, capability-by-capability view. ✅ shipping today · 🟡 on the roadmap · ⚪ not offered.
| Capability | Host-native (GH / GitLab) | SaaS scanner | Heavy self-hosted | depproof |
|---|---|---|---|---|
| Governs GitHub and GitLab and CI | ⚪ own host only | ✅ | ✅ | ✅ |
| Runs fully in your perimeter | ⚪ mostly cloud | ⚪ SaaS | ✅ | ✅ |
| Light to operate (one image) | n/a hosted | n/a SaaS | ⚪ server + DB + HA | ✅ |
| JVM transitive tree, no build/lockfile | 🟡 caveated | ✅ runs build | ✅ | ✅ Aether, no build |
| Open, portable data (OSV) | ⚪ proprietary | ⚪ proprietary | ⚪ proprietary | ✅ |
| Pricing model | per-committer | per-developer | per-application | flat · free <$1M |
| Org-wide dashboard & blast radius | ✅ | ✅ | ✅ | 🟡 roadmap |
Org-wide aggregation is table stakes across incumbents; depproof’s control plane is in active development. We’d rather tell you that than overclaim it. See the FAQ for the honest version.
depproof is for you if…
- Your estate spans more than one code host or CI system.
- You’re priced out of — or unwilling to pay — top-tier per-seat governance just to give security a dashboard.
- Your code and findings can’t leave your perimeter.
- You also can’t staff a heavy on-prem platform to keep them in it.
- You’re JVM-heavy and tired of inaccurate transitive resolution.
- You want open data and no lock-in to a host or proprietary DB.
You probably don’t need depproof if…
- You’re all-in on one host and happy paying for its premium governance (GHAS, GitLab Ultimate).
- You’ve standardized on Snyk or Nexus and are content with the cost and deployment.
We’re not a rip-and-replace for a happy single-vendor shop. We build for the gap those tools leave — and we’ll say so on a call.
Audit your first repo in five minutes.
Add the Action to a workflow, or pull the image and run it locally. Nothing to sign up for, nothing leaves your perimeter.